Kimsuky A Gift That Keeps on Giving
Contents
Kimsuky A Gift That Keeps on Giving
Introduction
Kimsuky - Shadow of Cyber Espionage
→ A sample was tweeted by our lovable malwrhunterteam with the tags being pointed out to Kimsuky 😍 and it was irresitable for us to have a look at it . The TTP do point to Kimsuky or a DPRK based Threat Actor. The initial infection vector is a LNK file which is mostly attributed to them.
LNK Parse
→ Like every sample, we upload to VT to get a basic idea and our sample todays ranks 16/63. The sample is a LNK or a shortcut file in Windows. We can use LNKParser to get the output in JSON format and work with it.
lnkparse sample.lnk > lnkparse.json
- Straight up we see some red flags like mshta.exe and some javascript command line arguements. The mshta.exe is commonly exploited by threat actors for executing malicious scripts via Microsoft HTML Application files. On crafting …
Introduction
Kimsuky - Shadow of Cyber Espionage
→ A sample was tweeted by our lovable malwrhunterteam with the tags being pointed out to Kimsuky 😍 and it was irresitable for us to have a look at it . The TTP do point to Kimsuky or a DPRK based Threat Actor. The initial infection vector is a LNK file which is mostly attributed to them.
LNK Parse
→ Like every sample, we upload to VT to get a basic idea and our sample todays ranks 16/63. The sample is a LNK or a shortcut file in Windows. We can use LNKParser to get the output in JSON format and work with it.
lnkparse sample.lnk > lnkparse.json
- Straight up we see some red flags like mshta.exe and some javascript command line arguements. The mshta.exe is commonly exploited by threat actors for executing malicious scripts via Microsoft HTML Application files. On crafting …
IoC
37fb639a295daa760c739bc21c553406
4cbafb288263fe76f5e36f1f042be22d
50e4d8a112e4aad2c984d22f83c80c8723f232da
0c3fd7f45688d5ddb9f0107877ce2fbd
622358469e5e24114dd0eb03da815576
41cf6298a41c27357ee5f70d8cd1c0bd48698fc30c4255fad6a91798286e5229
64.49.14.181
73ed9b012785dc3b3ee33aa52700cfe4
4cbafb288263fe76f5e36f1f042be22d
50e4d8a112e4aad2c984d22f83c80c8723f232da
0c3fd7f45688d5ddb9f0107877ce2fbd
622358469e5e24114dd0eb03da815576
41cf6298a41c27357ee5f70d8cd1c0bd48698fc30c4255fad6a91798286e5229
64.49.14.181
73ed9b012785dc3b3ee33aa52700cfe4